<div dir="ltr"><div>Thanks for the pointers Stian. <br><br>I used this:<br><br><a href="http://keycloak.github.io/docs/rest-api/index.html#_get_admin_realms_realm_clients_initial_access">http://keycloak.github.io/docs/rest-api/index.html#_get_admin_realms_realm_clients_initial_access</a><br><br></div>and it worked just fine.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 8, 2016 at 8:57 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On 8 March 2016 at 16:03, Orestis Tsakiridis <span dir="ltr"><<a href="mailto:orestis.tsakiridis@telestax.com" target="_blank">orestis.tsakiridis@telestax.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div>Thanks Stian!<br><br></div>Client Registration service passed under my radar (still on 1.6.1).<br><br></div>I was wondering, Initial Access Tokens seem to be only generated from the Administration Console. Is there a REST API for that ?</div></blockquote><div><br></div></span><div>The admin console is just a HTML5 app calling REST APIs, so yes ;). See <a href="http://keycloak.github.io/docs/rest-api/index.html" target="_blank">http://keycloak.github.io/docs/rest-api/index.html</a> and you need a bearer token with the appropriate roles to invoke.</div><span class=""><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div><div><br><br><div><br><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 4, 2016 at 12:09 PM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">For dynamic registration of clients take a look at <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/client-registration.html</a></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On 4 March 2016 at 09:12, Orestis Tsakiridis <span dir="ltr"><<a href="mailto:orestis.tsakiridis@telestax.com" target="_blank">orestis.tsakiridis@telestax.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div><div dir="ltr"><div><div><div><div>Hello,<br><br></div>I'm trying to design a keycloak-based system that will have the following characteristics:<br><br></div>* A single realm R will exist with a big set of users.<br></div>* Users will be able to install instances of software X that consists of four (4) applications protected by keycloak.<br></div><div>* Each application in any instance of X will have a corresponding Keycloak Client entity containing a set of application-level roles. Thus, having the appropriate role,m a user of R can selectively be granted access to any application of any instance of X.<br></div><div>* The addition of a new instance of X to the keycloak realm (the creation of the Clients, client roles etc.) is called 'registration' and will be done using the Keycloak Admin REST API.<br></div><div><br></div><div>What's the best practice to achieve automatic registration of a new instance to the realm? <br><br>I've considered the following:<br><br></div><div>a. Have the instance applications *directly* consume keycloak Admin REST API and create Clients and Client roles. As far as i investigated users of the instance will need to have a R:realm-management:manage-clients role in order to do that (create-client didn't work). This seems a pretty permissive role to give to any user in R.<br></div><div><br>b. Have a separate keycloak-protected application that won't be part of X to do the important work of 'registration'. It will work as a proxy. The application will act on behalf of an administrator user with a powerfull role like R:realm-management:realm-admin. The application will define it's own set of roles and HTTP API for instance registration. All users will have to go through it to register their instance. It will work as a proxy. But they won't need to be granted dangerous roles to do it.<br><br></div><div>Any suggestion will be more than welcome.<br><br></div><div>Thanks<span><font color="#888888"><br><br></font></span></div><span><font color="#888888"><div>Orestis<br></div><div><br></div></font></span></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div></div>
</blockquote></span></div><br></div></div>
</blockquote></div><br></div>